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EAC Voting System Test Laboratory Program Manual, Version 3.0 


1. Introduction 


1.1. 


1.2. 


1.3. 


1.4. 


Background. In 2002, Congress passed the Help America Vote Act of 2002 (HAVA). 
HAVA created the U.S. Election Assistance Commission (EAC) and assigned to the EAC 
the responsibility for both setting voting system standards and providing for the 
voluntary testing and certification of voting systems. This mandate represented the first 
time that the Federal government provided for the voluntary testing, certification, and 
decertification of voting systems nationwide. In response to this HAVA requirement, the 
EAC has developed the voting system standards in the form of the Voluntary Voting 
System Guidelines (VVSG), a voting system certification program in the form of the 
Voting System Testing and Certification Program Manual and this document, the Voting 
System Test Laboratory Program Manual. 


Authority. HAVA Section 231(b) (42 U.S.C. §15371(b)) requires that the EAC provide for 
the accreditation and revocation of accreditation of independent, non-federal laboratories 
qualified to test voting systems to Federal standards. Generally, the EAC considers for 
accreditation those laboratories evaluated and recommend by the National Institute of 
Standards and Technology (NIST) pursuant to HAVA Section 231(b)(1). However, 
consistent with HAVA Section 231(b)(2)(B), the Commission may also vote to accredit 
laboratories outside of those recommended by NIST upon publication of an explanation of 
the reason for any such accreditation. 


Role of the National Institute of Standards and Technology. Section 231(b) (1) of HAVA 
requires that the National Institute of Standards and Technology “conduct an evaluation 
of independent, non-federal laboratories and shall submit to the Commission a list of 
those laboratories...to be accredited....” Additionally, HAVA Section 231(c) requires NIST 
to monitor and review the performance of EAC accredited laboratories. NIST has chosen 
its National Voluntary Laboratory Accreditation Program (NVLAP) to carry out these 
duties. 


NVLAP conducts a review of applicant laboratories in order to provide a measure of 
confidence that such laboratories are capable of performing testing of voting systems to 
Federal standards. Additionally, the NVLAP program monitors laboratories by requiring 
regular assessments. Laboratories are reviewed one year after their initial accreditation 
and biennially thereafter. The EAC has made NVLAP accreditation a requirement of its 
Voting System Test Laboratory (VSTL) Program. However, a NVLAP accreditation is not 
an EAC accreditation. The EAC is the sole Federal authority for the accreditation and 
revocation of accreditation of Voting System Test Laboratories. 


Scope. This manual provides the procedural requirements of the EAC Voting System 
Laboratory Program. Although participation in the program is voluntary, adherence to 
the program’s procedural requirements is mandatory if VSTLs choose to participate. The 
procedural requirements of this manual supersede any prior laboratory accreditation 
requirements issued by the EAC. This manual is intended to be read in conjunction with 


1.5. 


1.6. 


1.7. 


1.8. 


the Voting System Testing and Certification Program Manual. 


Manual Maintenance and Revision. The manual will be reviewed periodically and 
updated to meet the needs of the EAC, VSTLs, voting system manufacturers, election 
officials, and public policy. The EAC is responsible for revising this document. All 
revisions will be made consistent with federal law. Substantive input from stakeholders 
and the public will be sought whenever possible. Changes in policy requiring immediate 
implementation will be documented via policy memoranda and will be issued to each 
VSTL and manufacturer. Changes, addendums, or updated versions will also be posted 


on WWW.eac. gov. 


Clarification of Program Requirements and Procedures. VSTLs and manufacturers 
may request clarification regarding the requirements and procedures set forth in this 
manual. Requests for interpretation must be based upon ambiguity arising from the 
application of this manual. Hypothetical questions will not be considered. Requests 
must be submitted to the Program Director in writing as described in Chapter 9 of the 
Voting System Testing and Certification Program Manual. The request must clearly 
identify the section of the manual and issue to be clarified, a proposed interpretation and 
all relevant facts. Clarifications issued by the EAC will be provided to all VSTLs and 
manufacturers and published on www.eac.gov. 


Program Personnel. All EAC personnel and contractors associated with this program are 
held to the highest ethical standards. All agents of the EAC involved in the VSTL Program 
are subject to conflict-of-interest reporting and ethics review, consistent with federal law 
and regulation. The term “Program Director” as used throughout this manual refers to the 
Voting System Testing and Certification Director. In the event of a vacancy in this 
position, the EAC Executive Director will designate staff to temporarily assume these 
duties. 


Submission of Documents. Any documents submitted in accordance with the 
requirements of this manual must be submitted electronically via secure e-mail or 
physical delivery of digital media. The submitted electronic files must be in PDF format, 
formatted to protect the document from alteration. If sent via physical delivery, by 
certified mail (or similar means that allows tracking) to the following address: 


U.S. Election Assistance Commission 

Attn: Testing and Certification Program Director 
633 3rd Street NW, Suite 200 

Washington, DC 20001 


1.9. 


1.10. 


1.11. 


1.12. 


Receipt of Documents —-VSTL. For purposes of this manual, a document, notice, or other 
communication is considered received by a VSTL upon its physical or electronic arrival at 
the VSTL’s main office. 


Receipt of Documents — EAC. For purposes of this manual, a document, notice, or other 
communication is considered received by the EAC upon its physical or electronic arrival 
at the agency. All documents received by the agency will be physically or electronically 
date stamped and this stamp will serve as the date of receipt. 


Record Retention. The EAC retains all records associated with the VSTLs. The records are 
retained or disposed in accordance with federal law. 


Publication and Release of Documents. The EAC releases documents consistent with the 
requirements of federal law. It is EAC policy to make the certification process as 
transparent as possible. Any documents (or portions thereof) submitted under this 
Program are made available to the public unless specifically protected from release by 
law. All submitted documentation must utilize the least restrictive markings possible. The 
primary means for making this information available is through www.eac.gov. 


2. Program Requirements 


2.1. 


2.2. 


2.3. 


2.4. 


Overview. This chapter lists the requirements of the VSTL Program. Adherence to these 
requirements is a condition of accreditation and a continuing obligation. Failure to 
demonstrate compliance with the requirements of this chapter may result in the denial of 
an application for accreditation, suspension of accreditation, or revocation of 
accreditation. 


NIST Recommendation. According to the Help America Vote Act of 2002, Section 231(b), 
NIST must perform a technical evaluation of VSTLs and identify and recommend those 
competent to test voting systems to the EAC, unless the emergency provisions of Chapter 


3 apply. 


NVLAP Accreditation. All VSTLs must hold a valid accreditation from NIST’s National 
Voluntary Laboratory Accreditation Program (NVLAP), unless the emergency provisions 
of Chapter 3 apply. NVLAP accreditation is the primary means by which the EAC 
ensures that each VSTL meets and continues to meet the technical requirements of the 
EAC program. It sets the standards for each VSTL’s technical, physical and personnel 
resources, as well as its testing, management, and quality assurance policies and 
protocols. The loss or suspension of a NVLAP accreditation will result in the suspension 
and possible revocation of any EAC accreditation consistent with the procedures of 
Chapter 5 of this manual. VSTLs are required to immediately report any change in their 
NVLAP accreditation status to the EAC. 


Conflict of Interest and Prohibited Practices Program. 

All laboratories must maintain and enforce policies which prohibit and prevent conflicts 
of interest or the appearance of conflicts of interest. A laboratory must ensure that neither 
the laboratory, its parent corporation, contracted third-party laboratories, nor any 
individual staff member involved in the testing of voting systems have any vested interest 
in the outcome of the test processes. Laboratories must have a written policy in place that, 
at a minimum, (1) prohibits conflicts of interest and other prohibited practices, and (2) 
provides for enforcement, consistent with the subsections below. 


2.4.1. Prohibited Conflicts of Interest. The purpose of a conflict-of-interest policy is to prevent 
situations where the exercise of an official duty directly impacts the actor’s financial 
interests. For the purposes of this program, a prohibited conflict of interest exists when the 
duties and responsibilities of a laboratory, parent corporation, or a laboratory employee 
involved in the testing of voting systems under EAC’s Testing and Certification Program 
have a direct and predictable effect on the financial interest of that laboratory, parent 
corporation, or a laboratory employee. Agreements with voting system manufactures to 
provide testing pursuant to the requirements of EAC or a State’s certification program do 
not constitute a prohibited conflict of interest. Certification testing is considered a duty and 
responsibility of a VSTL, not an outside financial interest. 


For example, an employee who is responsible for testing a voting system on behalf of a 
VSTL would be prohibited from holding a financial interest in the entity whose product is 
being tested or a direct competitor of that entity. A prohibited conflict of interest would 
also include a contractual or other fiduciary relationship between a VSTL or VSTL 
employee and a manufacturer (outside an agreement for State or Federal certification 
testing) when that VSTL or VSTL employee is concurrently responsible for conducting 
certification testing for that manufacturer under this program. 


Additionally, financial interests may be imputed or attributed to a laboratory, parent 
corporation, or a laboratory employee through a relationship with a third party. 


For example, a VSTL employee responsible for the testing of a voting system would be 
conflicted from performing his or her duties if his or her spouse owned a financial interest 
in the manufacture of the voting system. 


2.4.1.1. Involved in Testing — Defined. An organization is involved in voting system 
testing any time it contractually takes on the responsibility for testing a voting 
system to the VVSG under the EAC’s Testing and Certification Program. An 
employee is involved in voting system testing when the employee performs 
testing on the system, manages the testing process, or supervises those who 
perform testing on the system. 


2.4.1.2. Financial Interest — Defined. Financial interest means any current or contingent 
ownership, equity, or security interest in real or personal property or a business 
and may include indebtedness or compensated employment relationship. It also 
includes interests in the nature of stocks, bonds, partnership interests, fee and 
leasehold interests, and other property rights, deeds of trust, and liens, and 
extends to any right to purchase or acquire any such interest, such as a stock 
option or commodity future. 


2.4.1.3. Direct Effect — Defined. A matter will have a direct effect on a financial interest if 
there is a close causal link between any decision or action to be taken in the 
matter and any expected effect of the matter on the financial interest. An effect 
may be direct even though it does not occur immediately. A matter will not have 
a direct effect on a financial interest if the chain of causation is attenuated or is 
contingent upon the occurrence of events that are speculative or that are 
independent of, and unrelated to, the matter. A matter that influences a financial 
interest only as a consequence of its effects on the general economy does not 
have a direct effect within the meaning of this section. 


2.4.1.4. Predictable Effect — Defined. A matter will have a predictable effect if there is a 
real, as opposed to a speculative, possibility that the matter will affect the 
financial interest. It is not necessary that the magnitude of the gain or loss be 
known, and the dollar amount of the gain or loss is immaterial. 


2.4.2. 


Imputed Interests — Defined. An imputed interest is a financial interest held by a 
third-party individual or organization that serves to disqualify an employee or 
laboratory to the same extent as if they were the employee’s or laboratory’s own 
interest. These interests include: 
e the financial interests of a spouse or dependent child will be imputed to 
an employee, 


e the financial interest of any organization in which a laboratory, parent 
corporation, or a laboratory employee serves as an employee, officer, 
board member, partner, consultant, director, trustee or similar position 
must be imputed, 


e the interests of any contracted third-party laboratory must be imputed to 
the utilizing VSTL, and 


e the financial interest of a person or organization with whom an 
employee is negotiating or has an arrangement concerning prospective 
employment must be imputed. 


Prohibited Practices. Irrespective of the existence of a conflict of interest, it is a 
prohibited practice for a laboratory, parent corporation, or laboratory employee 
to be involved in the development of a voting system or to solicit or receive a 
gift from a voting system manufacturer. 


A laboratory or individual may not be involved in both the development of a 
voting system and the certification of a system. Voting system development 
includes any testing, consultation, or design work performed in order to ready 
a specific system for the marketplace or the certification process. Any testing 
performed on behalf of a voting system manufacturer that was not performed 
pursuant to a state or federal voting system certification program is considered 
developmental in nature. 


The prohibition barring participation in both development and testing is voting 
system specific. An employee or laboratory that was previously involved in 
product development with a manufacturer is not prohibited from testing all 
systems produced by that manufacturer, just those systems in which the 
employee or laboratory participated directly in development. The prohibition 
relates to a VSTL’s prior involvement in system development. Concurrent 
development work and testing may constitute a prohibited conflict of 
interested under Section 2.4.lof this manual. 


As voting systems are subject to change over time, for the purposes of this 
prohibition, a voting system is considered altered to the degree that it is a 
different system when: 

e aperiod of at least three years has passed since the VSTL or employee 


was involved in the system’s development, 


the system has been subject to both software and hardware 
modification since the VSTL or employee was involved in the system’s 
development, and 


the system has received a certification after being tested by a different 
independent laboratory since the VSTL or employee was involved in 
the system’s development. 


The prohibition barring participation in both development and testing does not 


prohibit a VSTL from allowing a manufacturer to perform onsite hardware 


mitigation on a voting system in response to a minor system failure or anomaly. 
In such cases the VSTL: 


must suspend all hardware testing, 
must not participate or assist the manufacturer in remediation, 


may provide testing equipment and qualified operators to the 
manufacturer for its use, 


must monitor and document the manufacturer’s access to the system 
consistent with Section 2.16 of this manual, and 


must document in the test report the failure or anomaly and remedial 
action taken by the manufacturer consistent with Section 4.8.6.2 of this 
manual and Chapter 4 of the Voting System Testing and Certification 
Program Manual. 


2.4.2.1. Gifts. Solicit or receive a gift, directly or indirectly, from any entity 


which holds a financial interest in the development, production, or 
sale of voting systems, or is otherwise impacted by the testing and 
certification of voting systems. A “gift” under these policies 
generally does not include items such as publicly available discounts 
and prizes, commercial loans, food not part of a meal such as coffee 
and donuts, and items of little value such as plaques and greeting 
cards. Relevant factors in making such a determination include the 
history of the relationship and whether the family member or friend 
personally pays for the gift. 


2.4.3. Program Enforcement Elements. Prohibited conflicts and practices are 
enforced through a written program which: 


2.4.3.1. Regarding Employees Involved in the Testing of Voting Systems 
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2.4.3.2. 


2.4.3.3. 


Annually collects standard information from each employee, 
including assets, debts, outside or prior activities/employment, gifts, 
and any work on voting system development sufficient to 
demonstrate compliance with Sections 2.4.1. and 2.4.2. of this 
manual. The information collection must also reflect the financial 
interests of those individuals (like spouses and minor children) 
whose interests are imputed to the employee. 


Requires and documents the review of information collected for 
potential conflicts and prohibited practices. 


Resolves and documents all identified conflicts of interest or 
prohibited practices prior to the employee or laboratory’s 
involvement in the testing of any voting system. Resolutions may 
include the divestiture of assets or gifts, employee resignation from 
outside organizations, or the altering of an employee’s 
responsibilities by prohibiting participation in voting system testing 
or the testing of a specific system. 


Regarding the VSTL or VSTL’s Parent Corporation 


Annually collects information pertaining to the holdings and 
activities of the VSTL and its parent corporation(s), sufficient to 
demonstrate compliance with Sections 2.4.1. and 2.4.2. of this 
manual. 


Requires and documents the review of collected information for 
potential conflicts and prohibited practices. 


Resolves and documents all identified conflicts of interest or 
prohibited practices prior to the laboratory’s testing of any voting 
system. Resolutions may include the divestiture of assets or gifts, 
and the termination or rejection of conflicted or prohibited testing 
work. 


Regarding Contracted Third-Party Laboratories. The interest of a contracted 
third-party laboratory may be imputed to a VSTL. VSTLs may meet and 
enforce the program requirements of this section regarding this 


relationship in one of two ways: 


e Collect information pertaining to the holdings and activities of 
the third-party laboratory and its employees, sufficient to 
demonstrate compliance with Section 2.4.1. and 2.4.2. of this 
manual. This includes gathering information concerning any 
involvement by the third-party laboratory or its employees in 
the development of specific voting systems. This collection of 


11 


information must be performed prior to the execution of any 
contract for the testing of voting systems under this program 
and annually thereafter if the contract exceeds one year in 
duration. Require and document the review of collected 
information for potential conflicts. Resolve all identified conflicts 
of interest prior to the laboratory’s testing of any voting system. 


e VSTL supervision of third-party laboratories performing non- 
core testing. Where a third-party laboratory is subject to direct 
VSTL supervision and observation, the third-party laboratory’s 
conflicts of interest or prohibited practices will not be imputed 
to the lead VSTL. Direct VSTL supervision under this section 
requires that a VSTL employee is physically present during the 
third-party testing and directly observes and supervises the 
testing. This VSTL employee must: (1) have been properly vetted 
for conflict of interest and prohibited practices pursuant to 
Section 2.4 of this manual, (2) be competent to supervise the 
testing being performed and (3) have no financial interest in the 
third-party laboratory they are supervising. 


2.4.4. Waivers. In rare circumstances, prohibited practices or conflicts of interest may 
be waived by the EAC after the conflict or prohibited practice is properly 
disclosed to the agency. Waivers may be granted at the sole discretion of the 
Program Director. 


2.4.4.1. 


2.4.4.2. 


Requesting a Waiver. A request for a waiver must be made in writing to 
the Program Director. The request must fully disclose the conflict of 
interest or prohibited practice for which the waiver is sought, describe 
all steps taken to resolve the conflict or prohibited practice, and the 
reasons why such attempts were unsuccessful or otherwise untenable. 
The request must also state why the waiver should be granted. 


Waiver Standard. A disqualifying conflict of interest or prohibited 
practice is subject to waiver when the issuance of a waiver is in the best 
interest of the EAC’s Testing and Certification Program, and the 
identified conflict or practice is unlikely to affect the integrity or 
impartiality of the VSTL or VSTL employee’s services under the EAC’s 
Testing and Certification Program. The Program Director may consider 
the following factors in making a waiver determination: 


e The value of any disqualifying financial interest. 
e The nature and impact of any prohibited practice. 


e The role and responsibility of the employee subject to the 
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2.5. 


2.6. 


conflict of interest or prohibited practice. 


e The availability of other employees, VSTLs or laboratories to 
conduct the testing without a conflict or prohibited practice. 


e The level of discretion or sensitivity required to perform the 
conflicted or prohibited duties under the certification program. 


e The ability of an EAC waiver to adjust a VSTL or VSTL 
employee’s testing process and duties or otherwise mandate 
additional safeguards which would limit or abrogate the 
impact of the conflict of interest or prohibited practice. 


2.4.4.3. Issuing a Waiver. Any waiver issued by the Program Director must be 
made in writing to the requestor. The waiver must state with specificity 
the conflict of interest or prohibited practice waived, and clearly state 
any conditions for its issuance, such as mitigating processes, 
procedures, or safeguards. The VSTL is responsible for meeting all 
waiver conditions prior to engaging in the waived activity. Failure to 
meet such condition may result in the revocation of a VSTLs 
accreditation. 


2.4.4.4, Denying a Request for a Waiver. Any decision denying a request for a 
waiver must be made by the Program Director in writing and 
provided to the VSTL. 


Personnel Policies. All laboratories must have written policies to ensure that they do not 
employ individuals, in any capacity related to the testing of voting systems, who have 
been convicted of a felony offense or any criminal offense involving fraud, 
misrepresentation, or deception under either Federal or state law. The VSTL must have a 
program in place to enforce this policy and document such enforcement. 


Notification of Changes. All laboratories must notify the EAC in writing within 15 
calendar days of any significant changes in laboratory operations from what the 
laboratory described in any assertion that served as the basis for its EAC accreditation, 
including any assertions made to NIST’s NVLAP or to the EAC. Examples of events that 
require written notification include, but are not limited to: 

e a laboratory’s decision to withdraw from the EAC’s program, 

e changes in ownership of the laboratory, 


e achange in location of the laboratory facility, or 


e personnel changes in key staff positions. 
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2.7. Site Visits. All laboratories must allow EAC representatives to enter their voting system 


2.8. 


2.9. 


testing facilities pursuant to the procedures and requirements of this manual. 


Notice of Lawsuits. All laboratories must notify the EAC of any lawsuits or claims filed 
against it, its subcontractors, subsidiaries, employees, officers, owners, operators, or 
insurers while the laboratory holds an EAC accreditation and which relate to the work 
performed in, or management of, the laboratory’s voting system testing program. 


Testing, Technical Practices, and Reporting. All laboratories must conduct testing in 
conformance with the applicable requirements of the VVSG. Additionally, the VSTL must 
create written reports of such testing in accordance with the Voting System Testing and 
Certification Program Manual, any applicable test assertions or test suites mandated by 
the EAC, and any other written guidance published by the EAC. 


2.9.1. Test Readiness Notification. Upon completion of the TRR, the VSTL must submit 
written statement to the EAC confirming that the voting system completed the 
TRR and that the system is ready for certification testing to the applicable VVSG 
requirements. 


2.9.2. Test Readiness Acknowledgement. Upon receipt of the test readiness notification 
from the VSTL, the EAC must issue written acknowledgement within three 
business days of receipt of the notification. 


2.10. Test Plan. The VSTL must submit a test plan directly to the EAC consistent with the 


requirements of the Voting System Testing and Certification Program Manual, the 
applicable VVSG, this manual, and any other written guidance from the EAC. 


2.10.1. Test Case. After approval of the VSTL’s test plan, the VSTL must develop test 
cases. A test case is a system-specific, step-by-step test procedure or testing 
process that provides detailed test operation procedures sufficient for trained 
laboratory personnel to fully conduct a given test and produce repeatable results. 
If test assertions exist for a specific requirement, the assertions will provide details 
about the requirement making it easier to create the test case. Additionally, if all 
VSTLs use the test assertions, this will help ensure that test cases are uniform 
across all accredited VSTLs. The VSTL must provide all test cases to the EAC upon 
testing completion. 


2.11. Testing. VSTLs must conduct testing in conformance with the applicable VVSG 


requirements and consistent with any written EAC interpretations of these requirements. 
VSTLs must test system identification tools during the test campaign to ensure they 
function properly and as intended. The laboratory must maintain its technical practices 
consistent with the standards which served as the basis for its NVLAP accreditation. 
These standards include International Standard ISO/IEC 17025, General Requirements for the 
Competence of Testing and Calibration Laboratories; NIST Handbook 150, Procedures and 
General Requirement; NIST Handbook 150-22, Voting System Testing; any documents 
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supplementing, updating or replacing these standards or handbooks; and any pertinent 
EAC guidance. When conducting testing under EAC’s program, VSTLs must only 
conduct testing of voting systems consistent with the scope of their accreditation. 


2.11.1. Third-Party Testing. VSTLs may contract or provide for the testing of voting 
systems by third parties under this program. However, the VSTL is responsible for 
the accuracy, quality assurance, and results of all tests conducted. VSTLs must not 
perform, or contract for the performance of, testing outside the scope of its 
accreditation. Testing performed directly by VSTL personnel using third-party 
contractor equipment and facilities are not considered third-party testing. 


2.11.1.1. Core Testing. Core voting system testing must only be performed by 
VSTLs. Core testing includes Technical Data Package review, physical 
configuration audit, source code review, functional configuration audit, 
system integration testing, volume testing, and security testing (not 
including cryptographic testing). 


Non-Core Testing. Non-core testing may be performed by non-VSTLs if 
they hold an EAC recognized accreditation to perform the relevant 
testing. The EAC recognizes two national accreditation bodies, NIST’s 
NVLAP program and the American Association of Laboratory 
Accreditation (A2LA). Generally, a VSTL may only contract or 
otherwise provide for the non-core testing of voting systems if it uses a 
NVLAP or A2LA laboratory accredited to the specific scope of testing 
necessary. Non-core testing includes electromagnetic compatibility 
testing, telecommunications testing, environmental testing, electrical 
testing, acoustical testing, accessibility testing, usability testing, and 
cryptographic testing. 


In limited circumstances, laboratories not holding a recognized 
accreditation may be used by VSTLs for non-core testing only after 
approval by the Program Director. Requests for such approval must be 
made in writing and demonstrate: 

(1) That there is no recognized laboratory available within a 
reasonable window of availability and geographic proximity 
(generally within the continental United States), and 

(2) that the VSTL has conducted a thorough assessment of the third- 
party laboratory’s capabilities, quality system, management system, 
and/or alternative accreditations and have determined and 
documented that the laboratory is qualified to perform testing. 


The EAC may visit, interview or audit any non-accredited laboratory 


at any time before, during, or after the testing has occurred to verify 
their qualifications. 
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2.11.1.2. VSTL Responsibilities. VSTLs are responsible for all tests performed on 
voting systems submitted to them by manufacturers under EAC’s 
Testing and Certification Program including testing performed by 
third-party laboratories under their direction. Any procedural or 
substantive irregularities or errors which occur during the third-party 
testing process will be imputed to the VSTL. Such failures may serve as 
a basis for the revocation of accreditation. VSTLs using third-party 
laboratories must take steps to ensure that the third-party laboratories 
they employ meet the standards of this program. At a minimum, the 
lead VSTLs must ensure: 

e The third-party laboratory provides the VSTL verifiable 
documentation regarding its relevant accreditation. 


e Any hardware tested by the qualified third-party laboratory is 
first validated by the VSTL as the same hardware presented for 
certification. 


e The third-party laboratory provides the VSTL with evidence that 
it directs its activities in compliance with any and all relevant 
VVSG requirements for testing and that the testing was, in fact, 
performed consistent with such specific requirements. Any 
special procedures, tools, or testing software necessary to meet 
VVSG requirements must be validated by the VSTL prior to use. 
For example, the VVSG requires that systems be tested while 
operating and that such operation be in manner and under 
conditions that simulate election use. In such cases, the VSTL 
must ensure that the third-party laboratory properly implements 
the VVSG requirements, validate its election simulation tools, 
and properly performed the testing. 


e The VSTL performs all system accuracy, reliability, functionality 
and integration testing. 


e The third-party laboratory issues a report to the VSTL that fully 
documents its testing such that the VSTL may demonstrate 
compliance with this section and produce a report consistent 
with Section 2.12 of this manual. 


2.12. Test Report Package. The test report package represents the culmination of the testing 
process and must accurately and completely document the testing performed and the 
results of such testing. VSTLs must submit test report packages directly to the EAC and 
must include: 


2.12.1. Test Report. All test reports must document the testing process, including the 
documentation and justification for any divergence from the EAC-approved test plan, 
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methods, or cases and the identification of all failures and/or anomalies along with any 
remedial action taken (see Chapter 4 of the Voting System Testing and Certification 
Program Manual). VSTLs must not include any proprietary test cases in the test report. 
Test reports must also document any prescribed maintenance or modifications, performed 
by the manufacturer, to a voting system in testing. Such maintenance or modifications 
must be monitored by the VSTL consistent with Section 2.11.1 of this manual. 


2.12.2. Format. To the greatest extent possible, VSTLs must write reports that are 
understandable to non-technical persons. As the EAC is responsible for publishing 
these reports (barring portions prohibited by law), VSTLs must refrain from 
including in them trade secrets or other commercial information protected from 
release unless substantively required. Where information protected from release 
may be included, it must be identified consistent with Chapter 7 of this manual. 
VSTLs must format each test report consistent with the requirements of Appendix 
E of this manual. 


2.12.3. VSTL Attestation. The signature page on the VSTL’s test report must include an 
attestation stating that: 
° all testing prescribed by the test plan or amended test plan was performed 
as identified or the divergence from the test plan was properly 
documented, 


e all identified voting system anomalies or failures were reported and 
resolved, and 


° that the test report is accurate and complete. 


2.13. Acceptance of Prior Testing. Prior testing of a voting system by a VSTL may be reused at 
the discretion of the EAC. The EAC encourages VSTLs to use such testing to fulfill 
certification requirements. The VSTL must obtain written approval from the EAC for all 
reuse requests. In order for the EAC to accept prior testing, VSTLs must provide evidence 
that the requirements below are met: 


2.13.1. The discrete software or hardware component of the voting system previously 
tested is demonstrably identical to the voting system presently offered for 
testing. VSTLs must examine and compare the components and documentation 
to ensure there is no change in the voting system. When valid prior testing is 
used, the system must be subject to regression testing, functional testing and 
system integration testing, and any other testing deemed necessary to ensure 
compliance with the VVSG and this manual. 


2.13.2. The requirements and relevant EAC requests for interpretation applicable 
to the prior and current testing are identical. 


2.13.3. The test methods used are equivalent or identical to current test methods 
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accepted by the EAC. 


2.13.4. The prior testing was reviewed by the VSTL with no apparent errors or 
omissions and fully complies with the VVSG and this manual. 


2.13.5. Testing from previous EAC test campaigns can only be submitted for reuse if the 
EAC accepted a final test report for that campaign. 


2.13.6. The use of prior testing must be noted in the test plan and test report, with 
test report titles, numbers, and descriptions. 


2.14. Termination of Testing Prior to Completion. VSTLs must notify the EAC Program 


2.15. 


2.16. 


Director if testing is terminated prior to completion. This notification must be in writing 
and state the reason(s) for termination, provide a list of all testing completed, and 
produce a report of test anomalies or failures pursuant to Section 4.9.2 of the Voting 
System Testing and Certification Program Manual. 


2.14.1. Termination Defined. Voting system testing is considered terminated when 
the testing process is permanently ended or halted without a specific plan to 
recommence within 30 calendar days of the last test performed. 


2.14.2. Effect of Termination. Notification of termination will result in the suspension of 
the manufacturer’s certification application and will be posted on www.eac.gov. 


2.14.3. Resubmission after Termination. Manufacturers may resubmit a system 
previously terminated by submitting an updated application consistent with 
Chapter 4 of the Voting System Testing and Certification Program Manual. A 
system resubmitted to the EAC after termination must be tested by the VSTL 
identified on the original application. 


VSTL Verification of Trusted Build. At the conclusion of each test campaign, VSTLs 
must verify the trusted build and associated materials required to be escrowed in the EAC 
repository (see Section 5.3 of the Voting System Testing and Certification Program 
Manual.) 


Laboratory Independence. All laboratories must maintain their independence from 
voting system manufacturers, consistent with their roles and responsibilities as a key 
component of the EAC Certification Program. VSTLs must maintain an arm’s length 
relationship with the manufacturers and avoid even the appearance of improper conduct. 
In order to maintain independence, VSTLs must adhere to the following independence 
principles and requirements: 


2.16.1. Testing Independence. Only the VSTL identified on a voting system’s 


application form may test or oversee the testing of that system. A 
manufacturer must not perform or participate in any testing that will serve 
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as the basis of an EAC certification. Additionally, VSTLs must ensure that 
manufacturers do not have access to a system under test unless accompanied 
and monitored by a VSTL representative. The EAC recognizes that in some 


cases there is value in allowing manufacturers to witness a particular test or 
a re-creation of a test in order to allow them to comment on the proper 
system set up or operation. Such participation must be (1) at the discretion of 
the VSTL, (2) supervised by the VSTL, and (3) clearly documented in order to 
maintain laboratory independence. 


2.16.1.1. The VSTL may at any time, and at its own discretion, halt an active 


2.16.1.2. 


certification test and allow the manufacturer into the testing room for a 
re-creation of the test being performed. If the VSTL chooses to do this, it 
must: 


document the time and circumstance that cause a halt in testing, 
document the reason why the manufacturer’s presence is needed, 


document the result of the test prior to re-creating the test for the 
manufacturer, and 


document any re-running of the official EAC Certification Test. This 
documentation must include any change that occurred to the “as 
run” test case as a result of the re- creation and the result of the 
official test. 


Have the test supervisor in charge of the project present for the re- 
creation of the test. If the tester conducting the test is also the test 
supervisor in charge of the project, one other VSTL employee must 
be present in the room during the re-creation of the test. 
Documentation of the re-creation of the test must include lab 
personnel present at the time of the re-creation; and 


All documentation must be retained according to NVLAP and EAC 
requirements. 


The VSTL may, at its own discretion, create a closed-circuit video feed 
or web cam feed of the testing being conducted and allow for real time 
correspondence between testers and the manufacturers provided that: 


All correspondence (i.e., letters, emails, memos, recorded video 
calls, etc.) between the testers and the manufacturer is documented 
and retained, and 


Any changes to the testing that results from correspondence 
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between the manufacturers and the VSTL is signed off by the VSTL 
project manager and provided to the EAC as part of the test report 
package. 


2.16.1.3. The VSTL may, at its discretion, provide supervised access to the 
manufacturer prior to and during the testing to perform unscheduled 
and non-routine maintenance provided that: 


e All documentation related to the maintenance activities is recorded 
within the "as run" test case, and 


e Any unscheduled maintenance that is performed is documented in 
the discrepancy report and included as part of the test report 
materials. 


2.16.2. Decision Making. Determinations regarding testing, test requirements, and test 
results must be made on the basis and for the purpose of ensuring that the 
systems tested meet the VVSG. 


2.16.3. Single Laboratory Requirement. Manufacturers are prohibited from changing 
laboratories during the testing process. Once a VSTL is identified by the 
manufacturer to test a system, a test report will not be accepted by the EAC from 
any other laboratory unless authorized pursuant to Chapter 4 of the Voting 
System Testing and Certification Program Manual. This strict policy supports 
VSTLs in their independent decision-making role. VSTLs must immediately 
notify the Program Director any time a manufacturer withdraws a product from 
testing, or the testing is otherwise terminated. 


2.16.4. Fee for Service. All fees paid by a manufacturer to a VSTL must be solely for 
services rendered. A VSTL must reject payment that is not directly linked to 
services necessary to complete system testing and must reject payment that is 
conditioned or dependent on testing outcome. 


2.16.5. Communications. All substantive discussions regarding the outcome, cost, 
payment and testing of a voting system must be documented in writing by the 
VSTL. This includes, but is not limited to letters, emails, reports, meetings, and 
telephone calls. These records must be maintained consistent with Section 2.20 
of this manual. Examples of substantive discussions between the lead VSTL and 
a manufacturer include but are not limited to all contracts and amendments, 
discussions regarding the set up and operation of the voting system during 
testing, discussions with the manufacturer regarding the test plan, test cases, 
testing, or the test report; and discussions regarding implementation or 
interpretation of the standards. 


2.16.6. Cooperation with EAC. VSTLs must cooperate with any EAC inquiries and 
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2.17. 


2.18. 


2.19. 


2.20. 


investigations into a certified system’s compliance with the VVSG and any 
VSTL testing related to that system consistent with Chapter 7 of the Voting 
System Testing and Certification Program Manual. 


2.16.7. Testing Facilities. To avoid the appearance of impropriety and otherwise 
maintain laboratory independence, VSTLs must not conduct testing at a facility 
that is owned or controlled by a manufacturer. If exceptional circumstances exist 
requiring that the VSTL use manufacturer facilities, the VSTL may request a 
waiver from the EAC. The request must be in writing to the Program Director 
and clearly state why such testing is necessary. A waiver may be granted at the 
sole discretion of the Program Director and may impose necessary restrictions, 
limitations, and requirements on testing. Waivers will be granted only in 
exceptional circumstances. 


2.16.8. Improper Influence. Any attempt by a manufacturer to unduly influence the test 
process must be immediately reported to the Program Director. The EAC will 
conduct a review of the situation and will terminate the test campaign if it is 
found that the manufacturer attempted to unduly influence testing. 


Authority to do Business in the United States. All laboratories must be lawfully 
entitled or otherwise not prohibited from doing business with the United States or its 
citizens or operating in the United States. 


Communications. All laboratories must designate and identify an individual or 
individuals who may speak for and act on behalf of the VSTL. VSTLs must maintain an 
open line of communication with EAC and providing prompt response to requests for 
information regarding the program. 


Resources and Financial Stability. All VSTLs must allocate sufficient resources to 
enable the laboratory to properly use and maintain its test equipment, personnel, and 
facility and to satisfactorily perform all required laboratory functions. The laboratory 
must maintain insurance policies sufficient to indemnify itself against financial 
liabilities, penalties that may result from its operations, and against the potential losses 
identified in its liability assessment. VSTLs must document solvency through 
demonstrating that the laboratory’s assets are greater than its liabilities in its audited 
financial statement. 


Recordkeeping. All laboratories must have a written policy regarding the proper storage, 
management, and retention of all records relating to the testing of voting systems. At a 
minimum, this policy must require all forms, reports, test records, observations, 
calculations, and derived data for all tests performed on a given voting system (or 
component of said system) be retained for a period of at least five years after the last test 
performed on that system (or component of any version of said system). The policy must 
also require that all documents are maintained in a safe and secure environment and 
stored in a manner that provides for timely identification and retrieval and kept in a data 
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format usable and available to the EAC. 
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3. Accreditation Process 


3.1. Overview. This chapter sets forth the required steps laboratories must perform in 
order to receive an EAC accreditation. The process generally includes an application 
for and receipt of a NIST recommendation; receipt of an EAC invitation to apply; and 
the successful submission, acceptance, and review of an EAC application. 


3.2. NIST Recommendation. The EAC is mandated under Section 231 of the Help America 
Vote Act of 2002 (HAVA) (42 U.S.C. §15371(b)) to “... provide for the certification, de- 
certification and re-certification of voting system hardware and software by accredited 
laboratories.” As part of this process, HAVA requires the NIST to evaluate independent 
non-Federal test laboratories. NIST selects those laboratories that are technically 
qualified to test voting systems and recommends them to the EAC for accreditation. A 
laboratory must have a NIST recommendation before it may be considered for EAC 
accreditation. 


3.2.1. NIST Recommendation Process. NIST utilizes its NVLAP to perform this 
evaluation. NIST, through the NVLAP process, assesses laboratory technical 
capabilities, procedures and personnel before recommending a laboratory for 
EAC accreditation. The requirements, procedures, and application process for 
requesting consideration by NIST for recommendation to the EAC may be found 


at www.nist.gov/NVLAP . 


3.2.2. Emergency EAC Accreditation without NIST Recommendation. HAVA 
authorizes the EAC to consider and accredit laboratories without a NIST 


recommendation (42 U.S.C. §15371(b)(2)(B)). The EAC will accredit laboratories 
without a NIST recommendation only as an emergency action. 


e Emergency Action — Defined. The EAC will take emergency action only in 
instances where (1) there is a significant national need for accredited 
laboratory testing capacity that cannot be met by existing VSTLs, (2) the 
shortage of laboratory testing capacity may cause a disruption in the orderly 
administration of federal elections, and (3) NIST is not capable of timely 
recommendation of new laboratories to meet needs. Consistent with HAVA, 
the EAC must publish its basis for emergency action following the above 
standards. 
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3.3. 


3.4. 


e Emergency Action — Process. Laboratories will be accredited by the EAC in an 
emergency action only after they have been properly assessed according to 
international standards and applicable NIST guidance. These standards 
include International Standard ISO/IEC 17025, General Requirements for the 
Competence of Testing and Calibration Laboratories; NIST Handbook 150, 
Procedures and General Requirement; NIST Handbook 150-22, Voting System 
Testing; and/or any documents supplementing, updating or replacing these 
standards or handbooks. 


e Emergency Action — Provisional. Any accreditation provided by the EAC 
through its emergency action authority is provisional in nature and limited in 
scope. All emergency accreditations expire on a date specified by the EAC. 


EAC Invitation. After receipt of a NIST list of recommended laboratories, the EAC will 
send a letter to the laboratories inviting them to apply for EAC accreditation under the 
VSTL program. No laboratory may apply for EAC accreditation without an invitation 
from the Commission. The letter of invitation will identify the scope of accreditation for 
which the laboratory may apply. The invited laboratories must follow the application 
procedure noted in Section 3.4, below. 


Application. EAC is the sole authority for VSTL accreditation. While NIST’s 
recommendation serves as a reliable indication of potential technical competency, the 
EAC must take additional steps to ensure that laboratory policies are in place regarding 
issues like conflict of interest, record maintenance, and financial stability. Laboratories are 
required to submit an application requesting accreditation. The application must be 
addressed to the Program Director and include (1) all required information and 
documentation; (2) a signed letter of agreement; and (3) a signed certification of conditions 
and practices. 


3.4.1. Information and Documentation. The laboratory must submit the information 
and documents identified below as a part of its application. These documents 
must be reviewed by the EAC in order to determine whether the laboratory 
meets the program requirements identified in Chapter 2. The laboratory must 
properly label any documents, or portions of documents, it believes are 
protected from release under federal law. 

e The legal name of the laboratory 
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Mailing address of the laboratory 
Physical location of the laboratory (if different than the mailing address) 


Name, phone number, and e-mail address of the voting system testing program 
manager or individual responsible for the voting system testing program 


Name, phone number, and e-mail address of the titled head of the laboratory 
(ie, CEO) 


Name, title, phone number, and e-mail address of the individual or individuals 
designated to speak for and act on behalf of the laboratory 


The business contact information (such as point of contact, address, Web site, e- 
mail address) to be posted on www.eac.gov 


The identity of the laboratory’s insurer(s), name of insured, and coverage limits 
for any comprehensive general liability policies, errors and omissions policies, 
professional liability policies, and bailee policies 


A written assessment of the laboratory’s commercial general liability 


A signed statement certifying that it maintains workman’s compensation policy 
coverage sufficient to meet the applicable state’s minimum requirements 


A copy of the laboratory’s organizational chart that includes the names of key 
staff responsible for the testing of voting systems 


A copy of the laboratory’s conflict of interest policy which implements the 
standards of Section 2.4 of this manual 


A copy of the laboratory’s personnel policy which implements the 
standards of Section 2.5 of this manual 


A copy of the laboratory’s recordkeeping policy which implements the 
standards of Section 2.20 of this manual 


A copy of the laboratory facilities brochure 
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3.5. 


3.4.2. 


3.4.3. 


e Acopy of the most recent annual report, the names of the current board of 
directors and the previous year’s board of directors, the names of any 
majority shareholders, and audited financial statements of the companies 
or entities that own and operate the laboratory. Laboratories not 
incorporated should provide comparable information. 


Letter of Agreement. The laboratory must submit a signed letter of agreement as 
a part of its application. This letter must be signed by an official that is vested 
with the legal authority to speak for, contract on behalf of, or otherwise bind the 
applicant laboratory. The purpose of this letter is to document that the laboratory 
is aware of, and agrees to abide by, the requirements of the EAC’s Voting System 
Test Laboratory Program. The letter must unequivocally state the following: 


The undersigned representative of. (hereinafter “the laboratory”), 
being lawfully authorized to bind the laboratory and having read the EAC Voting 
System Test Laboratory Program Manual, accepts and agrees on behalf of the 
laboratory to follow the program requirements as laid out in Chapter 2 of this 
manual. The laboratory will meet all program requirements as they relate to 
NVLAP accreditation; conflict of interest and prohibited practices; personnel 
policies; notification of changes; resources; site visits, notice of lawsuits; testing, 
technical practices and reporting; laboratory independence; authority to do 
business in the United States; VSTL communications; financial stability; and 
recordkeeping. Laboratory recognizes that meeting these program requirements is 
a continuing responsibility. Failure to meet each of the requirements may result in 
the denial of an application for accreditation, a suspension of accreditation, or a 
revocation of accreditation. 


Certification of Laboratory Conditions and Practices. The laboratory must submit 
a signed Certification of Laboratory Conditions and Practices as a part of its 


application. A Certification of Laboratory Conditions and Practices form may be 
found in Appendix G of this manual. By signing the certification, a laboratory 
affirms that it, in fact, has in place the policies, procedures, practices, resources, 
and personnel stated in the document. Any false representations made in the 
certification process may result in the revocation of accreditation and/or criminal 
prosecution. 


EAC Review of Application Package. The Program Director must review each 
laboratory’s application package to ensure that it is complete, and that the laboratory 
meets the program requirements. Each package is reviewed to identify all apparent 
nonconformities or deficiencies. If necessary, the Program Director will notify the 
laboratory of any such nonconformities or deficiencies and provide an opportunity to cure 
problems. The Program Director will issue a recommendation to the Commissioners when 
forwarding any application package. Consistent with HAVA, a laboratory will receive its 
initial accreditation upon a vote from the Commissioners. 
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3.5.1. Notice of Nonconformity. In the event the Program Director identifies (1) 
missing documentation or information and/or (2) issues of noncompliance, the 
Program Director must notify the laboratory of the deficiencies. The written 
notice of nonconformity must identify missing documentation or information 
and issues of noncompliance. The laboratory will have 10 business days to 
amend the application package or submit additional information in response to 
identified nonconformities. 


3.5.2. Action on Notice of Nonconformity. A laboratory’s response to a notice of 
nonconformity must include any missing documents identified in the notice, as 
well as any additional or clarifying information or documentation responsive 
to an issue of noncompliance. If a laboratory fails to provide required 
information or documentation within the required timeframe, the Program 
Director will reject the application as incomplete and return the package to the 
laboratory for resubmission consistent with the requirements of this chapter. 


3.5.3. Recommendation to Commissioners. After final review of the application 
package, the Program Director must forward the application package to the 
Chair of the Commission with a recommendation of disposition. 


3.5.4. Vote by Commissioners. Upon receipt of an application package and 
recommendation from the Program Director, the Chair of the Commission will 
forward the information to each EAC Commissioner. The Chair of the 
Commission will bring the matter to a vote, consistent with the rules of the 
Commission. The measure presented for a vote will take the form of a written 
Commissioners’ Decision which (1) makes a clear determination as to 
accreditation and (2) states the basis for the determination. 


3.6. Grant of Accreditation. Upon a vote of the EAC Commissioners to accredit a laboratory, 
the Program Director must inform the laboratory of the decision, issue a Certificate of 
Accreditation, and post information regarding the laboratory on www.eac.gov. 


3.6.1. Certificate of Accreditation. A Certificate of Accreditation will be issued to each 
accredited laboratory. The certificate will be signed by the Chair of the 
Commission and state: 

e The name of the VSTL; 


e The scope of accreditation, by stating the VVSG version(s) to which the 
VSTL is competent to test; 


e The effective date of the certification; and 


e The technical standards to which the laboratory was accredited. 


3.6.2. Post Information on Web Site. The Program Director will make the following 
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information available on www.eac.gov: 
e NIST’s recommendation letter 


e The Commissioner’s decision on accreditation 
e The Certificate of Accreditation 


3.7. Effect of Accreditation. Receipt of an EAC Accreditation indicates that a laboratory has 
met the applicable requirements and may serve as a VSTL under the EAC’s Testing and 
Certification Program. 


3.7.1. Scope of Accreditation. A VSTL must operate within the limits of the scope of 
accreditation as stated on its certificate of accreditation. 


3.7.2. Representation. A VSTL must not make representations regarding its 
accreditation beyond its scope of accreditation. 


3.7.3. No Endorsement. A certificate of accreditation is not an endorsement of the 
recipient VSTL. A VSTL must not state or imply EAC endorsement. 


3.7.4. Accreditation Logo. A VSTL may display the EAC laboratory accreditation logo. 
Only the EAC authorized logo may be used. The display must be used in a 
manner consistent Sections 3.7.1. - 3.7.3. Specifications for the reproduction and 
use of the EAC logo are found in Appendix H. 


3.8. Denial of Accreditation. Upon a vote of the EAC Commissioners not to accredit a 
laboratory, the Program Director will inform the laboratory of the decision and post a 
copy of the Commissioners’ decision and the denial notification on www.eac.gov. 


3.8.1. Notice of Denial. The Program Director will provide written notification of the 
Commissioners’ decision. This notification will include: 
e Astatement of the decision and brief summary explanation of the basis 
for the decision, 


e Notice of the laboratory’s right to an appeal; and 
e Acopy of the Commissioners’ decision. 


3.9. Requesting Appeal. A laboratory that has been denied accreditation has the right to 
appeal. A laboratory may appeal a Denial of Accreditation by submitting a written 
appeal to the Program Director, addressed to the Chair of the EAC. The appeal must be 
submitted within 14 calendar days of receipt of the denial notification (late requests will 
not be considered). The appeal must clearly state the specific conclusions of the decision 
the laboratory wishes to appeal. Supporting documentation or other evidence may be 
submitted in support of the appeal. 
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3.10. 


3.11. 


3.12. 


EAC Action on an Appeal. Upon receipt of an appeal, the Program Director must 
provide written acknowledgement of receipt of the appeal to the laboratory. The 
notification will inform the laboratory of the next steps of the appeal base on Section 3.11 
of this manual. 


Commissioners’ Decision on Appeal. All timely appeals will be considered by the 
Commissioners. Upon receipt of an appeal, the Chair of the Commission will forward 
the appeal to each Commissioner along with the original application package, 
Commissioners’ Decision, and Program Director’s recommendation. After a reasonable 
time to review and consider the materials, the Chair of the Commission will bring the 
matter to a vote consistent with the rules of the Commission. The measure presented for 
a vote will take the form of a written Commissioners’ Decision on Appeal, that will state 
the final determination, address the matters raised by the appeal, provide reasoning 
behind the appeal, and state the appeal decision is final. 


The Commissioners will make one of two determinations on the appeal: Grant of Appeal 
or Denial of Appeal. If the Commissioners determine that the previous decision of the 
Commission should be overturned in full then the appeal will be granted, and the 
laboratory will be granted accreditation. If the Commissioners determine that any part of 
the previous decision of the Commission should be upheld such that the requirements in 
Chapters 2 and 3 this manual will not be met in full then the appeal will be denied, and 
the laboratory will be denied accreditation. 


Effect of Denial of Accreditation. An EAC denial of accreditation indicates only that a 
laboratory has failed to document or demonstrate that it has the procedures, policies, 
management, or personnel in place to meet the requirements of this Program. A denial of 
accreditation is based upon current policy and procedure and is not an indicator of past 
performance. A laboratory that is denied accreditation has the right to cure any 
identified defect and reapply by resubmitting their application package consistent with 
Section 3.4 of this manual. 
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4, Compliance Management Program 


4.1. 


4.2. 


4.3. 


4.4. 


Purpose. The purpose of the Compliance Management Program is to improve the EAC’s 
VSTL Program; increase coordination, communication, and understanding between the 
EAC and its VSTLs; and improve public confidence in elections by facilitating VSTL 
accountability. The program accomplishes this by requiring personal interaction between 
EAC staff and VSTL personnel, collecting information and performing reviews to ensure 
continued compliance with program requirements, and requiring that VSTLs promptly 
remedy any identified areas of noncompliance. 


Compliance Management Program. The Compliance Management Program meets its 
purpose by gathering information on the procedures and practices of its VSTLs. There are 
three main sources of information: (1) VSTL Notifications of Changes, (2) EAC Requests 
for Documents or Information and (3) EAC Reviews. The information collected is 
reviewed by the EAC to ensure that VSTLs are meeting all program requirements. Any 
areas of noncompliance or recommendations for improvement are presented to VSTLs in 
a Compliance Management Report. 


VSTL Notification of Changes. VSTLs are obligated to report any significant changes 
regarding the information, agreements or certifications made to the EAC as a condition of 
accreditation (see Section 2.6). Failure to report changes in conditions or practices may 
result in suspension or revocation of accreditation consistent with the requirements and 
procedures in Chapter 5. 


Request for Information. The Program Director may request a VSTL to provide 
information to demonstrate the laboratory’s continuing compliance with the VSTL 
Program. 


4.4.1. EAC Request. A request for information must be made in writing and provide a 
reasonable timeframe for VSTL response. Requests for information take the form 
of interrogatories and may also include a request for existing documentation. 


4.4.2. VSTL Response. VSTLs must respond within the timeframe provided by the 
Program Director. If additional time is needed, VSTLs may request an extension 
that must be made within the timeframe of the original request. The grant of 
additional time is at the sole discretion of the Program Director. VSTLs must 
ensure that each question is answered completely and accurately. For 
documentation requests, VSTLs must provide copies of all documents 
responsive to the request. If any document is considered privileged or protected 
from release under federal law, it must be properly labeled. If a requested 
document does not exist, then the VSTL must state this. 
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4.5. 


4.6. 


4.4.3. Failure to Respond. Failure to timely respond to a request for documents or 
information may result in a suspension or revocation of accreditation consistent 
with the requirements and procedures of Chapter 5. 


Laboratory Review. The EAC must conduct biennial reviews of VSTLs. There are two 
parts of the review: documentation review and on-site review. The documentation 
review consists of qualified EAC personnel reviewing the VSTL’s policies and 
procedures to ensure that they meet the requirements of the VSTL Program (Chapter 2). 
The on-site review consists of qualified EAC personnel assessing the VSTL’s personnel 
and observing testing to verify compliance with applicable VSTL documentation. 


Laboratory Review Procedure. The Program Director will determine when the review 
will be conducted for each VSTL and must notify the VSTL in writing at least 15 
calendar days prior to the review. Reviews must be conducted with as little impact as 
possible on the activities of the VSTL. The VSTL and its employees are required to 
participate in the review and cooperate with qualified EAC personnel. The reviewer 
must provide the VSTL an exit briefing prior to the termination of the on-site review. 


4.6.1. Notice. The Program Director will coordinate the review with VSTL 
management. The review notification must include the following information: 
e Anestimated timeframe during which EAC reviewers will be on site. 


e The scope of review that will allow the VSTL to identify the documents, 
personnel, and testing it must make available to EAC reviewers. 


e The VSTL’s responsibility to coordinate and cooperate with the EAC 
throughoutthe review process. 


4.6.2. VSTL Response to Notice. Upon receipt of a notice of the review, the VSTL must 
coordinate the logistics of the review with the Program Director. In the event the 
proposed date or timeframe makes access to the required personnel, documents, 
or testing untenable, the VSTL must contact the Program Director in writing and 
identify, (1) The conflict or other problem which makes the proposed date and 
timeframe untenable, and (2) a proposed alternative date for the review. The 
acceptance of an alternative review date is at the sole discretion of the Program 
Director. 


4.6.3. Review. EAC reviewers must conduct a brief kickoff meeting with all necessary 
VSTL staff. This meeting will enable the EAC reviewers to provide an overview 
of the review and allow the VSTL to ask any questions. EAC reviewers must 
conduct reviews during the VSTL’s normal working hours. The reviewers will 
make every effort to work as efficiently as possible and avoid impacting the 
laboratory’s routine operations. The VSTL and its employees are required to 
cooperate with EAC reviewers. This cooperation includes providing a private, 
physical location for EAC personnel to review documents and speak with VSTL 
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4.7. 


4.6.4. 


employees. The VSTL is responsible for ensuring the following: 
e The reviewers have access to all requested VSTL documents. All 
documents specifically identified in the notice of the review must be 
presented to reviewers upon arrival. 


e The reviewers have access to requested personnel. The VSTL must ensure 
that key personnel for each substantive area identified in the notice of the 
review be available to EAC reviewers during the review period. 


e The reviewers have access to VSTL facilities involved in the testing of 
voting systems, including the facilities of third-party contractor 
laboratories. 


Exit Briefing. EAC reviewers must conduct an informal exit briefing with the 
VSTL. The briefing must identify any documents, information, or personnel 
which the VSTL remains responsible for making available to the reviewers; 
inform the VSTL of the next steps in the review process; and provide the VSTL 
an opportunity to ask questions. 


EAC Compliance Management Reports. The EAC must issue a written compliance 
management report after performing any review, and after a request for information 
or VSTL notification of change when either indicates a noncompliance with program 
requirements. All reports must provide a brief summary of the review process, 
request for information or VSTL notification of change, state any findings resulting 
from the review, and identify any corrective action that may be required. 


4.7.1 


4.7.2 


4.7.3 


Purpose. The purpose of the report is to provide the VSTL with EAC’s findings 
regarding its program so that noncompliant items can be identified, and 
rectified, exceptional practices may be identified and encouraged, and 
recommendations may be put forth in an effort to improve the VSTL’s 
program. 


Summary of Process. The summary provides background information regarding 
how the information supporting EAC findings was collected including 
identifying sources of information, methodology, and standards. The summary 
states the date(s) of the review, type of review, the program areas reviewed 
including specific documents, personnel discussions that were integral to the 
report findings, and the processes used by the reviewers to determine 
compliance. 


Findings. The report must include all findings of the review, any requests for 
information, and any VSTL Notifications of Change. Findings are the results of 
the audit and include conformities and nonconformities to this program’s 
requirements. Audit findings may lead to the identification of risks, 
opportunities for improvement, or recording good practices. Reports will 
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identify two types of nonconformities: 


Major. A major nonconformity is a failure that is fundamentally critical to 
the VSTL’s technical capability to test voting systems and is a violation 
that compromises the integrity of the EAC’s Testing and Certification 
Program. Examples of major nonconformities would be a total 
breakdown of a system, process, or procedure, multiple minor 
nonconformities related to the same process, or unauthorized 
documentation changes. 


Minor. A minor nonconformity is a failure to conform to a requirement 
that is not likely to result in a failure of the quality management system. 
It may be a single observed lapse or isolated incident where there is 
minimal risk of nonconforming product being released to the customer. 
Examples of minor nonconformities would be a document with an 
unauthorized change, a missing training record, or an instrument past its 
calibration date. 


4.8. Corrective Action. Corrective action is required if nonconformities are identified. If a 
nonconformity occurs, the VSTL must: 


4.8.1. 


4.8.2. 


4.8.3. 


4.8.4. 


4.8.5. 


4.8.6. 


React to the nonconformity and, as applicable: 


take action to control and correct it, 
address the consequences, and 


challenge the nonconformity. 


Evaluate the need for action to eliminate the cause(s) of the nonconformity so 
that it does not recur or occur elsewhere by: 


reviewing and analyzing the nonconformity, 
determining the causes of nonconformity, and 


determining if similar nonconformities exist or could potentially occur. 


Implement any action needed. 


Review the effectiveness of any corrective action taken. 


Update risks and opportunities determined planning, if necessary. 


Make changes to the management system, if necessary. 


4.8.6.1. 


Challenging Nonconformities. The VSTL may challenge a nonconformity if 
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4.8.6.2. 


4.8.6.3. 


4.8.6.4. 


4.8.6.5. 


it believes its procedures and practices were in compliance with 
program requirements at the time of the review. Written challenges 
must be filed within five calendar days of receipt of the report, and 
must state the basis for the challenge, address the facts and conclusions 
in the EAC report, and provide information that clearly documents that 
the VSTL was in compliance at the time of the review. The Program 
Director must accept or reject a VSTL’s challenge in writing. If a 
challenge is accepted, no corrective action is required. If the challenge is 
rejected, the VSTL has 20 calendar days from receipt of the notice of 
rejection to perform remedial action. 


Conducting Remedial Action. VSTLs may submit a remedial plan within 
20 calendar days of receipt of the report. The remedial plan must 
identify each nonconformity, outline the steps to be taken to achieve 
compliance, state the timeframe for each step, and identify the means 
and final date by which the VSTL will be compliant. A remedial plan 
is subject to approval from the Program Director. A VSTL’s failure to 
obtain approval of a remedial plan or unauthorized deviation from an 
approved plan’s requirements or deadlines will result in suspension of 
accreditation. 


EAC Approval of Remedial Plan. The Program Director must work with 
the VSTL to develop a remedial plan that will bring the VSTL into 
compliance. The Program Director must provide written approval of 
the VSTL’s remedial plan. 


VSTL Implementation of a Remedial Plan. After the remedial plan has been 
approved by the Program Director, the VSTL has 20 calendar days to 
implement its plan. The VSTL must not deviate from the plan’s 
procedures and the associated requirements or deadlines without the 
written consent of the Program Director. Failure to follow the remedial 
plan will result in the termination of the cure process. A determination 
to terminate the cure process must be made in writing by the Program 
Director. 


EAC Verification of Remedy. Upon a VSTL’s completion of the remedial 
plan, the Program Director must verify compliance. 


If the Program Director determines that the remedial plan was not 
completed, the cure process will be terminated. A determination to 
terminate the cure process must be made in writing by the Program 
Director. 


If the Program Director determines that the remedial plan was 
completed, the Program Director must provide the VSTL a Notice of 
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Compliance and recommend accreditation to the Commissioners. 


4.9 Suspension of Accreditation. The purpose of suspension is to ensure that a noncompliant 
VSTL ceases to test voting systems. The VSTL will have 20 calendar days to implement its 
remedial plan as outlined in Section 4.8. If the remedial plan is not implemented, the 
Program Director must issue a Decision on Suspension. The decision will state (1) the 
decision of the Program Director, (2) the basis for, and reasoning behind, the decision and 
(3) the VSTL’s obligations and rights during suspension (if applicable). A Decision on 
Suspension will be provided to the VSTL, issued to all registered manufacturers, and 


posted on www.eac.gov. 


4.9.1 Effect of Suspension. A suspended VSTL must immediately cease all testing of 
voting systems under the EAC’s Testing and Certification Program. Any testing 
performed by a suspended VSTL will not be accepted by the EAC. Any period 
of suspension must be clearly documented in a VSTL’s test report. Testing under 
the EAC’s Testing and Certification Program will not resume unless the 
suspension is lifted. 


4.9.2 Challenge of Suspension. The VSTL will have 10 calendar days to challenge its 
suspension. The VSTL must challenge the factual finding(s) that serve as the 
basis for its suspension and must provide documentation in support of its 
challenge. 


If the Program Director does not receive a documented challenge within the 
10-day window or deems the challenge to be insufficient, the Program Director 
must submit a recommendation to revoke the VSTL’s accreditation to the EAC 
Commissioners. 


If the Program Director determines that the documented challenge addresses 
the nonconformities, the Program Director must provide the VSTL a Notice of 
Compliance and recommend accreditation to the EAC Commissioners. 


4.10 Risks and Opportunities. The VSTL must consider the risks and opportunities associated 
with its activities in order to: 
e give assurance that the management system achieves its intended results, 


e enhance opportunities to achieve the purpose and objectives of the VSTL, 


e prevent, or reduce, undesired impacts and potential failures in the laboratory 
activities, and 


e achieve improvement. 


The VSTL must plan actions to address these risks and opportunities, and how to integrate and 
implement these actions into its management system and evaluate the effectiveness of these actions. 
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Actions taken to address risks and opportunities must be proportional to the potential impact on 
the validity of VSTL’s results. Options to address risks can include identifying and avoiding threats, 
taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood 
or consequences, sharing the risk, or retaining risk by informed decision. 


4.11 Improvement. The VSTL must identify and select opportunities for improvement and 
implement any necessary actions. Opportunities for improvement can be identified 
through the review of the operational procedures, the use of the policies, overall 
objectives, audit results, corrective actions, management review, suggestions from 
personnel, risk assessment, analysis of data, and proficiency testing results. The VSTL 
must seek feedback, both positive and negative, from its customers. The feedback must be 
analyzed and used to improve the management system, VSTL activities, and customer 
service. Examples of the types of feedback include customer satisfaction surveys, 
communication records, and review of reports with customers. 
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5. Revocation of Accreditation 


5.1. 


5.2. 


5.3. 


Overview. This chapter describes the process for revoking the accreditation of a VSTL. 
The EAC will revoke an accreditation upon a factual finding that a VSTL has failed to 
remedy a nonconformity. Revocation of Accreditation is a three-step process: (1) 
suspension of accreditation, (2) Commissioners’ Decision on Revocation of 
Accreditation, and (3) notify NIST NVLAP of revocation. 


Revocation. The EAC monitors VSTL compliance through (1) the VSTL’s continuing 
obligation to provide EAC Notifications of Changes, (2) EAC’s authority to issue 
Requests for Information, and (3) the performance of VSTL Reviews. The process to 
revoke a VSTL’s accreditation will be initiated after an opportunity to remedy 
nonconformities as described in Section 4.8. 


Commissioners’ Decision on Revocation of Accreditation. Pursuant to HAVA, a VSTL 
may have its accreditation revoked only by a vote of the Commissioners. The Program 
Director will provide each Commissioner with all relevant documentation including: 

° the VSTL’s submission to challenging suspension, 


° the Compliance Management Report, 


° any documents pertaining to challenges or remedial plans provided by the 
VSTL in response to a relevant Compliance Management Report, and 


° a Program Director recommendation as to disposition. 


5.3.1. Consideration. Each Commissioner will review and consider all relevant 
materials that have been provided. A Commissioner may request the Program 
Director to provide additional materials or information. Such requests and any 
responsive materials must be provided to each Commissioner. The Chair of the 
Commission will ensure that each Commissioner has sufficient time to consider 
the relevant material before a vote is called. 


5.3.2. Process. The Chair of the Commission will bring the Decision of Revocation of 
Accreditation to a vote consistent with the rules of the Commission. The measure 
presented for a vote will take the form of a written Commissioners’ Decision on 
Revocation that determines: 


5.3.2.1. Program Compliance. If the VSTL demonstrates that it meets all program 
requirements, successfully challenging all previous findings of 
noncompliance, the Commissioners will find the VSTL compliant, lift 
the VSTL’s suspension, and issue a Certificate of Accreditation. 


5.3.2.2. Revocation of Accreditation. If the VSTL does not demonstrate that it 
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5.4. 


meets all program requirements and at least one previous finding of 
noncompliance stands, the Commissioners will find the VSTL to be 
noncompliant and issue a Revocation of Accreditation. 


5.3.3. Publication of Decision. After a vote of the Commissioners adopting a Decision 
on Revocation, the Program Director must notify the VSTL, all EAC-registered 
manufacturers, and the Director of NIST, and post the decision on 


WWW.€ac. gov. 


Effect of Revocation of Accreditation. A revocation of accreditation is effective upon the 
vote of the Commissioners. VSTLs that have had their accreditation revoked may no 
longer test voting systems or submit test reports under the EAC Certification Program. 
The VSTLs may not represent themselves as accredited by the EAC. A VSTL which has 
had its accreditation revoked may reapply for EAC accreditation consistent with the 
requirements in Chapter 2, only after the EAC receives a new recommendation for their 
participation from NIST. Where a revocation of accreditation results in the termination of 
testing prior to completion, the VSTL must provide information to the EAC consistent 
with 2.10.7. Manufacturers may request the EAC grant permission to replace their lead 
VSTL pursuant to section 4.3.1.2. 
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6. Release of Laboratory Accreditation Program Information 


6.1 Overview. VSTLs participating in the Certification Program are required to provide the 
EAC with a variety of documents. In general, these documents are releasable to the 
public and, in many cases, the information provided will be published by the EAC. In 
limited cases, documents may not be released if they include trade secrets, confidential 
commercial information, or personal information. While the EAC is ultimately 
responsible for determining which documents are protected by federal law from release, 
VSTLs must identify the information that they believe should be protected and provide 
substantiation and a legal basis for withholding such information. This chapter discusses 
EAC’s general policy on the release of information and provides VSTL’s with the 
standards, procedures, and requirements for identifying documents as trade secrets or 
confidential commercial information. 


6.1.1 Requests for information. The public may request access to Certification 
Program documents under FOIA (5 U.S.C. §552). The EAC must promptly 
process such requests per the requirements of that Act. 


6.1.2 Publication of documents. The EAC must publish program documents (or 
portions of documents) through the use of www.eac.gov. The published 
documents will cover the full spectrum of the program, including information 
pertaining to: 

e Accredited VSTLs 

e VSTL test plans 

e VSTL test reports 

e Agency decisions 

e Denials of certification 

e Issuance of certifications 

e Compliance management reports 

e Suspensions or revocation of accreditations 
e Other topics as determined by the EAC. 

6.1.3 Trade Secrets and Confidential Commercial Information. Federal law places a 
number of restrictions on a Federal agency’s authority to release information 
to the public. Exemption 4 of the FOIA protects "trade secrets and commercial 


or financial information obtained from a person [that is] privileged or 
confidential." The exemption covers two distinct categories of information in 
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federal agency records, (1) trade secrets, and (2) information that is (a) 
commercial or financial, and (b) obtained from a person, and (c) privileged or 
confidential. Both types of information are explicitly prohibited from release 
by the FOIA and the Trade Secrets Act (18 U.S.C. §1905). 


6.2 Trade Secrets. A trade secret is "information, including a formula, pattern, compilation, 
program, device, method, technique, or process that: 

e Derives independent economic value, actual or potential, from not being generally 
known to, and not being readily ascertainable by proper means by, other persons 
who can obtain economic value from its disclosure or use; and 

e Is the subject of efforts that are reasonable under the circumstances to maintain its 
secrecy.” 


Trade secret relates to the productive process itself, describing how a product is 
made. It does not relate to information describing end product capabilities, features, 
or performance. The following examples illustrate productive processes that may be 
considered as trade secrets: 

e Plans, schematics, and other drawings useful in production. 


e Specifications of materials used in production. 


e Voting system source code used to develop or manufacture software where 
release of this information would reveal actual programming details. 


e Technical descriptions of manufacturing processes and other secret 
information relating directly to the production process. 


The following examples are likely not considered as trade secrets: 
e Information pertaining to a finished product's capabilities or features. 
e Information pertaining to a finished product’s performance. 


e Information regarding product components that would not reveal any commercially 
valuable information regarding production. 


6.3 Privileged or Confidential Commercial Information. Privileged or confidential 
commercial information consists of information submitted by a VSTL that is 
commercial or financial in nature. 


6.3.1 Commercial or Financial Information. The terms commercial and financial should 


be given their ordinary meanings. They include records in which a submitting 
VSTL has any commercial interest. 
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6.3.2 


Privileged or Confidential Information. Commercial or financial information is 
privileged or confidential if the disclosure of such information would likely 
cause substantial harm to the competitive position of the submitter. The concept 
of harm to one’s competitive position focuses on harm flowing from a 
competitor's affirmative use of the proprietary information. This does not 
include incidental harm associated with upset customers or employees. 


6.4 EAC’s Responsibilities. The EAC is ultimately responsible for determining whether or 
not a document (in whole or in part) may be released pursuant to federal law. In doing 
so, the EAC will require information and input from the VSTL submitting the 
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documents. This requirement is essential for the EAC to identify, track, and make 


determinations on the large volume of documentation it receives. The EAC has the 


following responsibilities in regard to the submitted documentation: 


6.4.1 


6.4.2 


Managing Documentation and Information. The EAC must control the 
documentation it receives by ensuring that documents are secure and released to 


third parties only after appropriate review and determination. 


Contacting a VSTL on Proposed Release of Potentially Protected Documents. In 
the event that a member of the public submits a FOIA request for 


documentation provided by a VSTL or the EAC or otherwise proposes the 
release of such documents, the EAC must take the following actions: 


6.4.2.1 Review the documents to determine if they are potentially protected 
from release as trade secrets or confidential commercial information. 
The documents at issue may have been previously identified as 
protected by the VSTL when submitted (see Section 7.6.1. below) or 
identified by the EAC during review. 


6.4.2.2 Grant the submitting VSTL an opportunity to provide input. In the 
event the information has been identified as potentially protected from 
release as a trade secret or confidential commercial information, the 
EAC must notify the submitter and allow the submitting VSTL an 
opportunity to submit its position on the issue prior to release of the 
information. The submitter must respond consistent with Section 6.5.1. 
below. 


6.4.3 Final Determination on Release. After providing the submitter of the 


information an opportunity to be heard, the EAC will make a final decision 
on release and must inform the submitter of this decision. 


VSTL’s Responsibilities. Although the EAC is ultimately responsible for determining if a 
document, or any portion thereof, is protected from release as a trade secret or 
confidential commercial information, the VSTL is responsible for identifying documents, 
or portions of documents, it believes warrant such protection. The VSTL is responsible for 
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providing the legal basis and substantiation for its determination regarding the 
withholding of a document. This responsibility arises in two situations: (1) upon the initial 
submission of information and (2) upon notification by the EAC that it is considering the 
release of potentially protected information. 


6.5.1 Initial Submission of Information. When a VSTL is submitting documents to the 
EAC, it is responsible for identifying any document or portion of a document 
that it believes is protected from release by federal law. VSTLs must identify 
protected information by taking the following action: 


6.5.1.1 Submitting a Notice of Protected Information. This notice must identify the 
document, document page, or portion of a page that the VSTL believes 
should be protected from release. This identification must be done with 
specificity. For each piece of information identified, the VSTL must 
state the legal basis for its protected status. 


e Cite the applicable law that exempts the information from 
release. 


e Clearly discuss why that legal authority applies and why the 
document must be protected from release. 


e Ifnecessary, provide additional documentation or information. 
For example, if the VSTL claims a document contains 
confidential commercial information, it would also have to 
provide evidence and analysis of the competitive harm that 
would result upon release. 


6.5.1.2 Label Submissions. Label all submissions identified in the notice as 
“Proprietary Commercial Information.” Label only those submissions 
identified as protected. Attempts to indiscriminately label all materials 
as proprietary renders the markings moot. 


6.5.2 Notification of Potential Release. In the event a VSTL is notified that the EAC is 
considering the release of information that the VSTL thinks may be protected, 
the VSTL must respond to the notice in writing within 15 calendar days. VSTLs 
that do not respond within the 15-day deadline will be viewed as not objecting 
to release. If the VSTL objects to the release, the response must clearly state 
which portions of the document should be protected from release. 


5.1. Personal Information. Certain personal information is protected from release under FOIA and the 
Privacy Act (5 U.S.C. §552a). This information includes private information about a person that, if 
released, would cause the individual embarrassment or constitute an unwarranted invasion of 
personal privacy. The EAC does not require the submission of private, individual information and 
the incidental submission of such information should be avoided. If a VSTL believes it is required 
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to submit such information, it should contact the Program Director. Examples of such information 
include: 

e Social security number 

e Bank account numbers 


e Home address 


e Home phone number 
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Appendix A - Glossary 


Definitions. For purposes of this manual, the terms listed below have the following 
definitions: 


Appeal. A formal process by which the EAC is petitioned to reconsider a decision. 


Applicant Laboratory. An independent, non-Federal laboratory which has applied for 
EAC accreditation after receipt of an invitation. 


Certification Program. The EAC Voting System Testing and Certification Program 


Commercial-Off-the-Shelf (COTS). Hardware or software components that are widely available 
for purchase and can be integrated into special-purpose systems. 


Commission. The U.S. Election Assistance Commission, as an agency. 


Commissioners. The serving commissioners of the U.S. Election Assistance 
Commission. 


Component. An identifiable and discrete part of the larger voting system essential to 
the operation of the voting system, and an immediate subset of the system to which it 
belongs. 


Days. Calendar days, unless otherwise noted. When counting days, for the purpose of 
submitting or receiving a document, the count begins on the first full calendar day after 
the date the document was received. 


Decision Authority. The EAC Executive Director or Executive Director’s designee. 


Election Official. A State or local government employee who has as one of his or her 
primary duties the management or administration of a Federal election. 


Federal Election. Any primary, general, runoff, or special election in which a candidate 
for Federal office (President, Senator, or Representative) appears on the ballot. 


Fielded Voting System. A voting system purchased or leased by a state or local 
government that is being use in a Federal election. 


Gift. A gift includes any gratuity, favor, discount, entertainment, travel, service, 
hospitality, loan, meal, forbearance, or other item having monetary value. 


Integration Testing. The end-to-end testing of a full system configured for use in an 
election to assure that all legitimate configurations meet applicable guidelines. 
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Manufacturer. The entity with ownership and control over a voting system submitted 
for certification. 


Minor Change Order. A minor change order is a change to a certified voting system’s 
hardware, software, Technical Data Package (TDP), or data, the nature of which does 
not materially alter the system’s reliability, functionality, capability, or operation. Any 
changes made to a system under test will result in the manufacturer supplying a list and 
detailed description of all changes. 


Modification. Any change to a previously EAC-certified voting system’s hardware, 
software, or firmware that is not classified as a minor change order or new system. 


Program Director. The individual responsible for administering and managing the 
Testing and Certification Program. 


Proprietary Information. Commercial information or trade secrets protected from 
release under the Freedom of Information Act (FOIA) and the Trade Secrets Act. 


Qualified EAC Personnel. Qualified EAC personnel have attained ISO/IEC 17025 
internal auditing credentials. 


Recommended Laboratory. A laboratory recommended for EAC accreditation by the 
Director of NIST after evaluation by NVLAP. 


Scope of Accreditation. The version or versions of the Federal Voluntary Voting System 
Guidelines (VVSG) to which a VSTL is authorized to test. 


System Identification Tools. Tools created by a manufacturer of voting systems which 
allow elections officials to verify that the hardware and software of systems purchased 
are identical to the systems certified by the EAC. 


Third-Party Laboratory. A laboratory contracted or otherwise providing testing services 
to a VSTL to meet program requirements. 


Trusted Build. A software build where source code is converted into machine- 
readable binary instructions (executable code) in a manner providing security 
measures which help ensure that the executable code is a verifiable and faithful 
representation of the source code. 


Voluntary Voting System Guidelines (VVSG). Voluntary voting system guidelines 
developed, adopted, and published by the EAC. The guidelines are identified by 


version number and date. 


Voting System. The total combination of mechanical, electromechanical, and electronic 
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equipment (including the software, firmware, and documentation required to program, 
control, and support the equipment) that is used to define ballots, cast and count votes, 
report or display election results, interface the voting system to the voter registration 
system, and maintain and produce any audit trail information. 


Voting System Test Laboratories (VSTLs). Laboratories accredited by the EAC to test 


voting systems to EAC approved voting system standards. 
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Appendix B — References 


References. The following documents are referenced in this manual. For dated references, 
only the edition cited applies. For undated references, the latest edition of the referenced 
document (including any amendments) applies. 


e ISO/IEC 17011, Conformity assessment- General requirements for accreditation bodies 
accrediting conformity assessment bodies. 


e ISO/IEC 17025, General requirements for the competence of testing and calibration 
laboratories. 


e NIST Handbook 150, (NVLAP) Procedures and General Requirements. 


e NIST Handbook 150-22, (NVLAP) Voting System Testing. 
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Appendix C — Voting System Test Plan Outline 


This outline is provided solely as an aid to test plan development. Note that these items may 
change significantly, depending on the specific project planned. 


1 Introduction 
1.1 References 
1.2 Terms and Abbreviations 
1.3 Testing Responsibilities 
1.3.1 Project schedule with 
1.3.1.1 Owner assignments 
1.3.1.2 Test case development 
1.3.1.3 Test procedure development and validation 
1.3.1.4 3rd party tests 
1.3.1.5 EAC and manufacturer dependencies 
1.4 Target of Evaluation Description 
1.4.1 System Overview 
1.4.2 Block diagram 
1.4.3 System Limits 
1.4.4 Supported Languages 
1.4.5 Supported Functionality 
1.4.5.1 Standard VVSG Functionality 
1.4.5.2 Manufacturer Extensions 
2. Pre-Certification Testing and Issues 
2.1 Evaluation of prior VSTL testing 


2.1.1 Reason for testing and results, listing of modifications from previous to current 
system 


2.2 Evaluation of prior non-VSTL testing 
2.2.1 Reason for testing and results, states, other 3rd party entities 
2.3 Known Field Issues 
2.3.1 Listing of relevant issues uncovered during field operations 
3 Materials Required for Testing 
3.1 Software 
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3.2 Equipment 
3.3 Test Materials 
3.4 Deliverable Materials 
4 Test Specifications 
4.1 Requirements 
4.1.1 Mapping of requirements to equipment type and features 
4.1.2 Rationale for why some requirements are not applicable to this campaign 


4.2 Hardware Configuration and Design 
4.3 Software System Functions 


4.4 Test Case Design 
4.4.1 Hardware Qualitative Examination Design 
4.4.1.1 Mapping of requirements to specific interfaces 
4.4.2 Hardware Environmental Test Case Design 
4.4.3 Software Module Test Case Design and Data 
4.4.4 Software Functional Test Case Design and Data 
4.4.5 System-level Test Case Design 
4.5 Security functions 
4.6 TDP evaluation 
4.7 Source Code review 
4.8 QA & CM system review 
5 Test Data 
5.1 Data Recording 
5.2 Test Data Criteria 
5.3 Test Data Reduction 
6 Test Procedure and Conditions 
6.1 Facility Requirements 
6.2 Test Set-up 
6.3 Test Sequence 


7 Test Operations Procedures 
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Appendix D - Voting System Modification Test Plan Outline 


This outline is provided solely as an aid to test plan development. Note that these items may 
change significantly, depending on the specific project planned. 


1. Introduction 
1.1Description and Overview of EAC-certified system being modified 
1.1.1 Complete definition of the baseline certified system. 


1.1.2 Detailed description of the engineering changes and/or modifications to the 
certified system and why the modification was implemented. 


1.1.3 An initial assessment of the impact that the modifications have on the 
system and past certification. 


1.1.4 Description of what will be regression tested to establish assurance that the 
modifications have no adverse impact on the compliance, integrity or 
performance of the system. 


1.2 References 
1.3 Terms and Abbreviations 
1.4 Project Schedule 
1.5 Scope of testing 
1.5.1 Block diagram (if applicable) 
1.5.2 System limits (if applicable) 
1.5.3 Supported Languages 
1.5.4 Supported Functionality 
1.5.5 VVSG 
1.5.6 RFIs 
1.5.7 NOCs 
2. Pre-Certification Testing and Issues 
2.1 Evaluation of prior VSTL testing 
2.2 Evaluation of prior non-VSTL testing (if applicable) 
2.3 Known Field Issues (if applicable) 
3. Materials Required for Testing 
3.1 Software 


3.2 Equipment 
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3.3 Test Materials 
3.4 Deliverable 
3.5 Proprietary Data 
4. Test Specifications 
4.1 Requirements 
4.1.1 Mapping of requirements to equipment type and features 


4.1.2 Rationale for why some requirements are not applicable to this campaign 
4.2 Hardware Configuration and Design (if applicable) 


4.3 Software System Functions (if applicable) 
4.4 Test Case Design 
4.4.1 Hardware Qualitative Examination Design (if applicable) 
4.4.2 Hardware Environmental Test Case Design (if applicable) 
4.4.3 Software Module Test Case Design and Data (if applicable) 
4.4.4 Software Functional Test Case Design and Data (if applicable) 
4.4.5 System-level Test Case Design 
4.5 Security functions (if applicable) 
4.6 TDP evaluation 
4.7 Source Code review (if applicable) 
4.8 QA & CM system review 
5. Test Data 
5.1 Test Data Recording 
5.2 Test Data Criteria 
6. Test Procedure and Conditions 
6.1 Test Facilities 
6.2 Test Set-up 
6.3 Test Sequence 


6.4 Test Operations Procedure 
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Appendix E - Voting System Test Report Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this 
format may be used upon prior written approval of the Program Director. 


1. System Identification and Overview 
2. Certification Test Background 

2.1 Revision History 

2.2 Implementation Statement 
3. Test Findings 

3.1 Summary Finding 

3.2 Anomalies 

3.3 Correction of Deficiencies 
Appendix A. Additional Findings 
Appendix B. Warrant of Accepting Change Control Responsibility 
Appendix C. Trusted Build 
Appendix D. Test Plan 
Appendix E. State Test Reports 
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Appendix F — Voting System Modification Test Report Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this 
format may be used upon prior written approval of the Program Director. 


1. Introduction 
1.1Description of EAC-certified system being modified 
1.2 References 
1.3 Terms and Abbreviations 
2. Certification Test Background 
2.1 Revision History 
2.2 Scope of testing 
2.2.1 Modification Overview 
2.2.1.1 Detailed list of changes 
2.2.2 Block diagram (if applicable) 
2.2.3 Supported Languages 
2.2.4 VVSG 
2.2.5 RFIs 
2.2.6 NOCs 
3. Test Findings and Recommendation 
3.1 Summary Finding and Recommendation 
3.1.1 Hardware Testing 
3.1.2 System Level Testing 
3.1.3 Source code review 
3.2 Anomalies and Resolutions 
3.3 Deficiencies and Resolutions 
4. Recommendation for Certification 
Appendix A. Additional Findings 
Appendix B. Deficiency report (if applicable) 
Appendix C. Anomaly report (if applicable) 
Appendix D. Test Plan 
Appendix E. State Test Reports (if applicable) 
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Appendix G - Certification of Laboratory Conditions and Practices 
Form 


CERTIFICATION OF LABORATORY CONDITIONS AND 
PRACTICES 


I, the undersigned, having investigated or caused to be investigated each matter, below; 
certify, affirm and acknowledge that each of the following numbered statements are true and 
otherwise accurately reflect the status, condition and _ operations of 
(hereinafter “Laboratory”). I understand that by certifying the 
information below, I am making a statement or representation to the U.S. Election Assistance 
Commission required for receiving a Laboratory Accreditation under 42 U.S.C. 
§15371(b). I further understand, that to the extent any of the below representations or 
certifications are found to be materially false, the U.S. Election Assistance Commission may 
revoke any Accreditations granted to the above-named laboratory and that I may be subject 
to criminal prosecution under 18 U.S.C. §1001. 


1. Signing Official. I hereby certify that I am an officer, partner or other official vested with 
the legal authority to speak for, contract on behalf of, or otherwise bind the above noted 
company, corporation, partnership or organization (Laboratory). 


2. Personnel. I certify, consistent with Section 2.4. of the EAC Voting System Test Laboratory 
Program Manual (hereinafter Laboratory Manual), that the laboratory has written policies 
in place to ensure that it does not currently, and will not in the future, employ any 
individuals in any capacity related to the testing of voting systems who have been 
convicted of a felony offense or any criminal offense involving fraud, misrepresentation, 
or deception under either Federal or State law. 


3. Conflicts of Interest and Prohibited Practices. I certify, consistent with Section 2.5. of the 
Laboratory Manual, that the Laboratory maintains and enforces written policies which: 


a. Prohibit conflicts of interest or the appearance of conflicts of interest pursuant to 
Section 2.4.1. of the Laboratory Manual. 


b. Prohibit practices such as participation in both the development and testing of a 
voting system or the solicitation or acceptance of gifts from a voting system 
manufacture pursuant to Section 2.4.2. of the Laboratory Manual. 


c. Provide clear mechanisms for enforcement of the prohibitions noted above 
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pursuant to Section 2.4.3. of the Laboratory Manual. 


4. Financial Stability. I certify, consistent with Section 2.19. of the Laboratory Manual, that 
the laboratory possesses sufficient resources to enable it to properly use and maintain its 
test equipment and facility, to satisfactorily perform all required functions, and to 
adequately indemnify itself against financial liabilities or penalties that may result from 
its operations. 


5. Authority to do Business in the United States. I certify, consistent with Section 2.17. of 
the Laboratory Manual, that the Laboratory is lawfully entitled or otherwise not 
prohibited from doing business with the United States or its citizens or operating in the 
United States. 

6. Recordkeeping. I certify, consistent with Section 2.20. of the Laboratory Manual, that the 
laboratory operates and manages a records system in which it maintains all forms, reports, 


test records, observations, calculations and derived data for all tests performed for a 
period of at least 5 years. 


I, by signing my name below, certify, affirm and acknowledge, under penalty of federal law, 
that each of the above numbered paragraphs accurately represent the operations, conditions 
and practices of (Laboratory). 


Signed this day, 


(Signature) 


(Name of Signing Official) 


(Title of Signing Official) 
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Appendix H - Specification for Reproduction and use of the EAC 
Laboratory Accreditation Logo 


Specification for Reproduction and use of the EAC Laboratory Accreditation Logo 


To maintain a high level of quality and consistency in a variety of applications, the following 
guidelines have been developed for VSTL use of the EAC laboratory accreditation logo. 


Use and Display 


The EAC VSTL logo contains the following elements: 

The “U.S. Election Assistance Commission” and “VSTL” logotype separated by a divider rule. 
The EAC will provide all accredited VSTLs with high resolution digital files for use on 
approved written or electronic documents. 


The logo may only be used by EAC accredited VSTLs and must not misrepresent the specific 
standards or guidelines to which the VSTL has been accredited. The EAC VSTL logo may be 
displayed on all reports and work documents that contain exclusive results from testing 
activities that have been carried out within the labs’ EAC scope of accreditation. Accredited 
laboratories may also incorporate the logo in publicity and/or advertising materials, including 
brochures and organization publications, technical literature, business reports, Web sites and 
quotations or proposals for work. 


Only the approved version of the VSTL logo may be used. When using the logo: 


e Do not print the logo in black over a dark background. 

e Do not change any colors of the logo. 

e Do not configure the elements of the logo in a different format. 
e Do not crop or remove any part of the logo. 

e Do not distort the logo. 

e Do not tilt the logo in any direction. 

e Do not add shadows, effects or other elements to the logo. 

e Do not change the typeface/font used in the logo. 


Minimum Size 


The full VSTL logo must remain readable in all uses and should not be reduced to a size smaller 
than 2.5 inch x 1 inch. 


Minimum Clear Space 


The clear space surrounding the VSTL logo is an integral part of the logo design. An area of 
clear space must be maintained around the logo to prevent it from being in conflict with other 
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design elements on the page. The clear space should measure at least X on all sides, where X 
equals 2 the height of the upper-case letters “VSTL” in the logo. Do not place any other logo, 
logotype, trademark, text, or other graphic element in the minimum clear space area. 


One Color Printing 


A black version of the logo may be printed on white or light color background paper. In these 
instances, the logo should appear in 100% black. 


Color Printing 


Whenever possible, the full color version of the logo should be used. The appropriate colors are 
provided below for 4 color process printing or RGB for electronic use. 


Blue 
CMYK = 98/78/0/29 
RGB = 0/51/153 


HSL = 156/255/77 


Red 
CMYK = 5/96/98/5 
RGB = 204/51/0 


HSL = 10/255/102 


Embossing on “VSTL” = CMYK 97/92/0/65 
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U.S. ElectionAssistanceCommission 


VSTL 


58 


